I think MS just did us (and themselves) a disservice.

Richard Sharpe sharpe at ns.aus.com
Thu Jan 11 10:33:48 GMT 2001

Hi Martin,

At 02:22 AM 1/11/01 -0800, Martin Kuhne wrote:
>Sorry, you are wrong.
>cf. CIFS spec section "2.8  Security Model"

Hmmm, pretty blunt ... :-)

OK, I found a version that had Security Model in 2.7. Here it is:

]2.7 Security Model
]Each server makes a set of resources available to clients on the
]network.  A resource being shared may be a directory tree,  printer,
]etc.  So far as clients are concerned, the server has no storage or
]service dependencies on any other servers; a client considers the server
]to be the sole provider of the file (or other resource) being accessed.
]The CIFS protocol requires server authentication of users before file
]accesses are allowed, and each server authenticates its own users.  A
]client system must send authentication information to the server before
]the server will allow access to its resources.
]A server requires the client to provide a user name and some proof of
]identity (often something cryptographically derived from a password) to
]gain access. The granularity of authorization is up to the server. For
]example, it may use the account name to check access control lists on
]individual files, or may have one access control list that applies to
]all files in the directory tree.
]When a server validates the account name and password presented by the
]client, an identifier representing that authenticated instance of the
]user is returned to the client in the Uid field of the response SMB.
]This Uid must be included in all further requests made on behalf of the
]user from that client.

Hmmm, I assume that you are suggesting that one could send separate
SesssionSetup&X requests to the server, and one would get back separate
UIDs, which could be sent in separate requests to the server, thus allowing
it to multiplex different security contexts on one TCP session?

Do any servers allow this? 

You have me intrigued now, and I have the tools to try this out.

>-----Original Message-----
>From: Richard Sharpe [mailto:sharpe at ns.aus.com]
>Sent: Wednesday, January 10, 2001 8:04 PM
>To: David Flynn; Francois Gouget; B.V.Dean
>Cc: samba-technical at samba.org
>Subject: Re: I think MS just did us (and themselves) a disservice.
>At 08:01 PM 1/10/01 +0000, David Flynn wrote:
>>>  Gouget writes:
>>> >
>>> >   This has been there since at least NT 3.51. I've never been able
>>> >connect to a server with two different ids.
>>> >
>>> >   Also, despite what they say, I suspect it's not for security
>>> >but truely because of _bad_ design. Or at least it must be simpler
>>> >them to handle it that way.
>>> I miss this. When we used to have Windows 3.1 and PC-NFS I used to
>>> connect over a dozen drive letters to different servers using upto 3
>or 4
>>> it made management much easier!
>>the problem is using a single server.  you can not connect to the
>Yes                     ^^^^^^^^^^^^^
>>server with different credentials.  its annoying, sure, what you said
>>true and still can be done, you can connect to MANY differerent servers
>>different credentials, but not to a single server.
>I think that, fundamentally, this is a problem with the protocol,
>to us by IBM, but modified by MS in places, and the implementation used
>Let me explain.
>Authentication is done by sending a sessionsetup&X request, which
>the username and password proof.  There is no concept of authenticating
>separate sessions.
>Later, when you want to access a share, you send the request to access
>share over the TCP connection set up to that system earlier. All access
>shares on the one system are sent over the single TCP connection to that
>system. You cannot authenticate as a different user for another share
>because that would require a logoff as the previous user and a logon as
>new user. This may compromise security, and would involve losing the old
>shares, and so on.
>However, you can authenticate as a different user if you can set up a
>TCP connection to the target system. I have observed that the only way
>can manage this is:
>  - Use a different NetBIOS name for the target system. While Samba
>    a server to have multiple NetBIOS names, I am not sure that Windows
>    does.  When you connect to a server using a different NetBIOS name 
>    from a Windows client, the redirector sets up a new TCP connection.
>  - Use the IP address of the server if the client allows that.
>Both of these are limited, in that you may be able to authenticate
>or three times, but not more than the number of NetBIOS names + n (for
>IP addresses the server has) supported by the server.
>>> Barry V Dean
>Richard Sharpe, sharpe at ns.aus.com
>Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
>Contributing author, SAMS Teach Yourself Samba in 24 Hours
>Author, Special Edition, Using Samba

Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list